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Abstract 

Recent theoretical results confirm that quantum theory provides the possibil- 
ity of new ways of performing efhcient calculations. The most striking example 
is the factoring problem. It has recently been shown that computers that exploit 
quantum features could factor large composite integers. This task is believed 
to be out of reach of classical computers as soon as the number of digits in 
the number to factor exceeds a certain limit. The additional power of quantum 
computers comes from the possibility of employing a superposition of states, 
of following many distinct computation paths and of producing a final output 
that depends on the interference of all of them. This "quantum parallelism" 
outstrips by far any parallelism that can be thought of in classical computation 
and is responsible for the "exponential" speed-up of computation. 

Experimentally, however, it will be extremely difScult to "decouple" a quan- 
tum computer from its environment. Noise fluctuations due to the outside world, 
no matter how little, are sufficient to drastically reduce the performance of these 
new computing devices. To control the nefarious effects of this environmental 
noise, one needs to implement efficient error-correcting techniques. 

1 Computation and Physics 

We are not used to thinking of computation in physical terms. We look on it as 
made up of theoretical, mathematical operations; but under close scrutiny, effecting 
a computation is essentially a physical process. Take a simple example, say "2 -|- 3" ; 
how is this trivial computation handled by a computer? The inputs 2 and 3 are 
two abstract quantities, and before carrying out any computation, they are encoded 
in a physical system. This can take several radically different forms depending on 
the computing device: voltage potentials at the gates of a transistor on a silicon 
microchip, beads on the rods of an abacus, nerve impulses on the synapse of a 
neuron, etc. The computation itself consists of a set of instructions (referred to as an 
algorithm) carried out by means of a physical process. Completion of the algorithm 
yields a result that can be reinterpreted in abstract terms: we observe the physical 
system (for instance, by looking at the display of a calculator) and conclude that the 
result is 5. The crucial point here is that, although 2-1-3 may be defined abstractly, 
the process that enables us to conclude that 2-1-3 equals 5 is purely physical. 

The theory of computation has been long considered a completely theoretical 
field, detached from physics. Nevertheless, pioneers such as Turing, Church, Post 



and Godel were able, by intuition alone, to capture the correct physical picture, but 
since their work did not refer explicitly to physics, it has been for a long time falsely 
assumed that the foundations of the theory of classical computation were self-evident 
and purely abstract. Only in the last two decades were questions about the physics 
of computation asked and consistently answered . These later developments led to 
a complete and thorough understanding of the physical limits of classical computers; 
but they were concerned only with the classical theory of computation, for which 
the computing device is supposed to obey the laws of classical physics. This is fine 
as long as one asks questions about computers we have now: any computer that was 
ever built, from the oldest abacus to the latest supercomputer, behaves indeed in 
a classical fashion; but we live in a quantum world and quantum objects tend to 
behave quite differently from classical ones. So what about quantum... computers? 

Despite early suggestions that "something new" may exist when computers 
are enabled to behave in a quantum mechanical way, it was not until the seminal 
work of Deutsch in 1985 that the foundations of quantum computation were 
laid and properly formalised. In his article, Deutsch considers the situation where 
computers behave like quantum systems and can enter highly non-classical states. 
These quantum computers could, for instance, exist in a superposition of states. Each 
state could follow coherently a distinct computational path and interfer to produce 
a final output. This "quantum parallelism", achieved in a single piece of hardware, 
outstrips by far any parallelism that can be thought of in classical computers, thus 
potentially providing quantum computers with unprecedented power. It took indeed 
another decade to gain clear evidence of the power of quantum computers and to 
exhibit specific problems that were intractable on classical computers but that could 
be solved efficiently on a quantum one. The most striking example is the factorisation 
problem. Shor |^ has shown recently that using a quantum algorithm {i.e. an 
algorithm that runs on a quantum computer) it is possible to factor large integers 
efficiently. 

Factorisation is believed to be intractable (or at best extrememly difficult and 
time-consuming) on any classical computer, and Shor's algorithm shows for the first 
time that the class of problems accessible to quantum computers includes problems 
that (so far) cannot be handled efficiently by classical devices. In fact factorisation is 
not of purely academic interest only: it is the problem which underpins the security 
of many classical public key cryptosystems. For example, RSA Q, the most popu- 
lar public key cryptosystem (named after the three inventors, Rivest, Shamir, and 
Adleman), gets its security from the difficulty of factoring large numbers. Hence for 
the purpose of cryptoanalysis the experimental realisation of quantum computation 
is a most interesting issue. This growing interest in the field during these last years 
is backed up by the enormous experimental progress made in testing fundamentals 
of quantum mechanics. In the last decade or two, it has become possible to isolate 
and study single microscopic quantum systems, giving new insights into the meaning 
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of quantum mechanics, opening new horizons of research and above all giving the 
possibility to test fundamental ideas such as those involved in quantum computation. 

This paper is organised as follows. Section 2 is concerned with the limits of 
classical computation. In section 3, 1 introduce the basic notions and tools of quantum 
computation necessary to understand the factorisation algorithm presented in section 
4. Section 5 deals with possible ways of assembling a quantum computer out of basic 
elements, while experimental realisations are presented in section 6, together with 
some fundamental limitations imposed by the difficulty of isolating a quantum system 
from its environment. The final section gives some conclusions and discusses future 
prospects in the field. 

2 A Brief Look at Classical Complexity 

Setting benchmarks is a useful process to understand in which sense quantum algo- 
rithms outperform classical ones. There are rigorous ways of defining what makes 
an algorithm efficient for solving a particular problem For instance we can ask 
questions such as "how does the memory or the time of a computation increase with 
the size of the input of the problem ?" We generally take the input size to be the 
amount of information (measured in bits) needed to specify the input. For exam- 
ple, a number N requires ~ log2(A^) bits of storage on a computer (up to a fixed 
multiplicative factor (log2(10)), the size is the number of digits of in a decimal 
system) . 

As an illustration, let us look at how the time needed to solve two related 
problems varies with the size of the input. On one hand consider the problem of 
factoring a number N of size L (i.e. L digits). Factoring means finding its prime 
factors i.e. finding the set of integer numbers {pi} such that any pi in that set divides 
N with the remainder 0. One way to calculate the prime factors is to try to divide 
by 2, 3, . . . \/iV and to check the remainder. This method is very time consuming. 
It requires about \/iV ~ 10^^'^ divisions, hence the time it takes to execute this 
algorithm increases exponentially with L. An as yet hypothetical computer that can 
perform as many as 10^'^ divisions per second would take about a second to factor 
a 20 digit number, about a year to factor a 34 digit number and more than the 
estimated age of the Universe (10^''s) to factor a 60 digit long number. 

The related problem of multiplying two L digit-long numbers together can be 
solved much faster. The algorithm we are taught in school (reducing the complete 
multiplication in single digit multiplications) requires of these basic operations. 
Multiplying two 60 digits numbers would then take only a blink of an eye on the 
hypothetical computer (see Fig. ||). 

For both problems, the algorithms presented are not the most efficient: for 
factorisation the best algorithm is subexponential and requires ~ gC^^/^Ciog-L)^/^) 
erations |^, and for multiplication Llog(-L) log(log(L)), in the limit that the numbers 
we multiply are very large (more than several hundred digits) 0. Even with these 
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Figure 1: a) Asymptotic behaviour (on the hypothetical computer) of the completion time 
(as a function of the input size) for two related problems. For the factorisation problem the 
time grows exponentially (dashed line), but for multiplication it only grows polynomially 
(plain line), b) Even when the order of the exponential is small {t ~ e*^*, with < e ^ 1, 
e = 0.1 in the figure) and the degree of the polynomial is large {t ~ with rj ^ 1, rj ^ 10 
in the figure) the two curves will cross and above a given input size the exponential case will 
become very inefficient. From the point of view of complexity, only the distinction between 
polynomial and exponential behaviour matters. 

algorithms this asymmetry between the two problems remains: one problem is solved 
in a time that grows (sub)exponentially with the size of the input (i.e. with the num- 
ber of digits of the input), the other requires a time that grows only polynomially (c/ 
Fig. ||b). This asymmetry is a clear illustration of how different problems may require 
a very different amount of resources (in this case time) for obtaining the solution to 
a problem. 

Problems for which the best algorithm runs polynomially {e.g. multiplication) 
are said to be tractable and belong to what mathematicians have called the complexity 
class P, whereas, when the time grows exponentially {e.g. factorisation), they are 
said to be intractable, and belong to other classes of complexity (NP, EXP, depending 
on other characteristics of the problem j^). The strength of this classification is 
that it does not depend on the physical realisation of the computer as long as the 
computer obeys the laws of classical physics. Mathematicians have shown that, as 
long as a computer behaves classically, it is strictly equivalent to a toy model called 
a Turing Machine. As practical devices, Turing Machines probably epitomise the 
worst nightmare of programmers and computer scientists, but they are an invaluable 
tool used by mathematicians to define and establish complexity classes. 

By showing that Turing Machines that obey the laws of quantum mechanics 
could support new types of algorithms {quantum algorithms) Deutsch was able to 
define new complexity classes and establish a new hierarchy Q. However, it was 
not recognised until recently that the class of problems that can be solved in poly- 
nomial time with a quantum algorithm (the class QP) includes problems for which 
the best classical algorithm runs exponentially. Factorisation is one of those, but 



4 



before explaining how quantum computers tackle this task, let me introduce some 
basic definitions. 



3 Quantum bits and pieces 
3.1 Bits and Registers 

At the heart of a quantum computer lies the quantum bit or simply qubit as the 
natural extension of the classical notion of bit. Instead of a simple two-state system 
that can either be in state or 1, a qubit is a quantum two-level system, that in 
addition of the two eigenstate |0) and |1) (the labels are here a mere convention, but 
correspond usually to the ground and excited state of the two-level system) can be 
set in any superposition of the form 

IV') =co|0)+ci|l). (1) 

Any quantum two-level system is a potential candidate for a qubit, but to help to 
construct a mental picture, it is a good idea to carry a concrete, albeit somehow 
idealised, physical example of a qubit. In the following it will be useful to think of 
a qubit as a spin-1/2 particle. |0) and |1) will correspond respectively to the spin- 
down and spin-up eigenstates (along a prearranged axis of quantisation, usually set 
by an external constant magnetic field). 

Although a qubit can be prepared in an infinite number of different quantum 
states (by choosing different complex coefficient Cj's in Eq. (||)) it cannot be used 
to transmit more than one bit of information. This is because no detection process 
can reliably differentiate between nonorthogonal states Q. However, qubits (and 
more generally information encoded in quantum systems) can be used in systems 
developed for quantum cryptography [^], quantum teleportation [0] or quantum 



dense coding [12|. The problem of measuring a quantum system is a central one in 
quantum theory, and much attention has been and is still devoted to this subject |l3| . 
In a classical computer, it is possible in principle to inquire at any time (and without 
disturbing the computer) about the state of any bit in the memory. In a quantum 
computer, the situation is different. Qubits can be in superposed states, or can even 
be entangled with each other, and the mere act of measuring the quantum computer 
alters its state. Performing a measurement on a qubit in a state given by Eq. (|) will 
return with probability |coP and 1 with probability |cip; but more importantly, the 
state of the qubit after the measurement {post-measurement state) will be |0) or |1) 
(depending on the outcome), and not co|0) + ci|l). With our spins, it is convenient 
to think of the measuring apparatus as a Stern-Gerlach device into which the qubits 
are sent when we want to measure them. When measuring a state of the form of 
Eq. (1^), outcomes and 1 will be recorded with a probability |coP and |cip on the 
respective detector plate (see Fig. 

We will call a collection of qubits a quantum register, or simply a register. As 
in the classical case, it can be used to encode more complicated information. For 



5 



instance, the binary form of 6 is 110 and loading a quantum register with this value is 
done by preparing three qubits in state |1) |1) (8) |0). In the following, we use a more 
compact notation: \a) stands for the direct product |a„„i)(8>|a„_2) • • • |ai)®|ao) which 
denotes a quantum register prepared with the value a = 2^ao + 2^ai + . . . 2"'~^a„_i. 
Two states \a) and \b) are orthogonal as soon as a 7^ 6: 

(a I 6) = (oo I 60) (oi Ih) ■■■ {an-i I K-i), (2) 

and if a 7^ 6 at least one of the terms in the r.h.s of the above expression is zero so 
that (a I 6) = 0. 

For an n-bit register, the most general state can be written as 

|*> = '^'c,|x>. (3) 

x=Q 

Note that this state describes the situation in which several different values of the 
register are present simultaneously; just as in the case of the qubit, there is no classical 
counterpart to this situation, and there is no way to gain a complete knowledge of 
the state of a register through a single measurement. 

With our spin picture in mind, measuring the state of a register is done by pass- 
ing one by one the various spins that form the register in a Stern-Gerlach apparatus 
and record the results (Fig. |2|). For instance a two-bit register initially prepared in 
the state |^/;) = l/\/2(|0) + |3)), i.e. l/^/2(|0)|0) + |1)|1)), will with equal probability 
result in either two successive clicks in the up-detector or two successive clicks in the 
the down-detector. The post-measurement state will be either |0) or |3), depending 
on the outcome. A record of a click-up followed by a click-down, or the opposite 
(click-down followed by click-up), signals an experimental or a preparation error, 
because neither |2) = |1)|0) nor |1) = |0)|1) appear in \^). 

3.2 Gates 

In a classical computer, the processing of information is done by logic gates. A logic 
gate maps the state of its input bits into another state according to a truth table. 
The simplest non-trivial classical gate is the NOT gate, a one-bit gate which negates 
the state of the input bit: becomes 1 and vice- versa. The corresponding quantum 
gate is implemented via a unitary operation that evolves the basis states into the 
corresponding states according to the same truth table. For instance the quantum 
version of the classical NOT is the unitary operation C/|mot such 

^not|0) = |1) 
^not|1) = |0). 

In quantum mechanics, the notion of gate can be extended to operations that have 
no classical counterpart. For instance, the operation U/\ that evolves 

^7a|0) = 1/V2(|0) + |1)) 
C/a|1) = 1/V2(|0)-|1)), 
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Figure 2: An idealised measuring device for a quantum computer. Registers made out of 
spins, each one in a random state, pass through a Stern-Gerlach magnet that performs a 
measurement in the spin-up spin down basis (i.e. the basis |0) and |1)). The spins are 
deflected by the device and detected by the detector (plates). After passing through the 
device, the spins point no longer randomly, but are in one of the two possible eigenstates. 

defines a perfectly "legal" quantum gate. Note that it evolves "classical" states into 
superpositions and therefore cannot be regarded as classical. This gate is of great 
utility: take an n-bit quantum register initially in the state |0) and apply to every 
single qubit of the register the gate Up,. The resulting state is 



Thus, with a linear number of operations {i.e. n application of Ua) we have gener- 
ated a register state that contains an exponential (2^*) number of distinct terms. It is 
quite remarkable that using quantum registers, n elementary operations can gener- 
ate a state containing all 2" possible numerical values of the register. In contrast, in 
classical registers n elementary operations can only prepare one state of the register 
representing one specific number. It is this ability of creating quantum superposi- 
tions which makes the "quantum parallel processing" possible. If after preparing the 
register in a coherent superposition of several numbers all subsequent computational 
operations are unitary and linear (i.e. preserve the superpositions of states) then 
with each computational step the computation is performed simultaneously on all 
the numbers present in the superposition. 



= ?7a®?7a®...C/a|00...0) 

= ;fe(|0) + |1)) ® ^(|0) + |1)) ® . . . ^(|0) + |1)) 

= ^(|00. ..0) + |00. ..!) + ... 111. ..!)) 

_ 1 y^2"-l I \ 



(6) 
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3.3 Functions 



Let me next describe now how quantum computers deal with functions. Consider a 
function 

/: {0,1,...2--1}^{0,1,...2"-1}, (7) 

where m and n are positive integers. A classical device computes / by evolving each 
labeled input, 0, 1, ... 2™ — 1 into its respective labeled output /(O), /(I), ... /(2™ — 1). 
Quantum computers, due to the unitary (and therefore reversible) nature of their 
evolution, compute functions in a slightly different way. Indeed, it is not directly 
possible to compute a function / by a unitary operation that evolves \x) into \ f{x)): 
if / is not a one-to-one mapping (i.e. if f{x) = f{y) for some x 7^ y), then two 
orthogonal kets \x) and \y) can be evolved into the same ket |/(a;)) = thus 
violating unitarity. One way to compute functions which are not one-to-one map- 
pings, while preserving the reversibility of computation, is by keeping the record of 
the input. To achieve this, a quantum computer uses two registers: the first register 
to store the input data, the second one for the output data. Each possible input 
X is represented by the quantum state of the first register. Analogously, each 
possible output y = f{x) is represented by the quantum state of the second reg- 
ister. States corresponding to different inputs and different outputs are orthogonal, 
{x\x') = 5xx'i {y\y') = Syyi. The function evaluation is then determined by a unitary 
evolution operator U f that acts on both registers: 

Uf\x)\0) = \x)\f{x)). (8) 

It has been shown that as far as computational complexity is concerned, a 
reversible function evaluation, i.e. the one that keeps track of the input, is as good 
as a regular, irreversible evaluation [22]. This means that if a given function can be 
computed in polynomial time, it can also be computed in polynomial time using a 
reversible computation. 

The computations we are considering here are not only reversible but also quan- 
tum, and we can do much more than computing values of f{x) one by one. We can 
prepare a superposition of all input values as a single state and by running the com- 
putation Uf only once, we can compute all of the 2"* values /(O), . . . , /(2"* — 1), 

\^ 2;=0 / ^ x=0 

It looks too good to be true so where is the catch? How much information about / 
does the state contain? 

As we would expect, no quantum measurement can extract all of the 2"* values 
/(O), / (I), . . . , /(2"^ — 1) from Imagine, for instance, performing a measurement 
on the first register of lip). Quantum mechanics enables us to infer several facts: 



8 



• Since each value x appears with the same complex amplitude in the first register 
of state {i/j), the outcome of the measurement is equiprobable and can be any 
value ranging from to 2"^ — 1. 

• Assuming that the result of the measurement is \j) , the post-measurement state 
of the two registers (i.e. the state of the registers after the measurement) is 
IV') = Thus a subsequent measurement on the second register would 
yield with certainty the result /(j), and no additional information about / can 
be gained. 

However, there are more subtle measurements that provide us with information about 
joint properties of all the output values f{x) such as, for example, the periodicity of 
/. I will describe in the following sections how an efficient periodicity estimate can 
lead to a fast factorisation algorithm. But let me first introduce some mathematical 
results in number theory that are relevant to the problem. I shall not attempt to give 
a rigorous exposition nor to provide proofs, as they can be found in most textbooks 
on the subject (see for example 



4 Quantum Factorisation 
4.1 Periodic functions 

The factorisation problem can be related to finding periods of certain functions. In 
particular one can show [15| that finding factors of is equivalent to finding the 



period of the function 

/a,7v(x) = a"modiV (10) 

where a is any randomly chosen number which is coprime with N, i.e. which has no 
common factors with (if a is not coprime with A^, then the factors of A^ are trivially 
found by computing the greatest common divisor of a and A^). This function gives 
the remainder after the division of by A^. The function is periodic with period 



r lU] , which depends on a and A^. 

Knowing the period r of fa,N, we can factor A^ provided r is even and r mod A^ ^ 
— 1. When a is chosen randomly the two conditions are satisfied with probability 
greater than 1/2. The factors of A^ are then given by gcd(a'"/^ it 1, A^), the greatest 
common divisor of a''/^ it 1 and A^. Fortunately, for this last calculation, an easy and 
very efficient algorithm has been known since 300 BC. The algorithm, known as the 
Euclidean algorithm, runs in polynomial time on a classical computer, reducing thus 
the problem of factoring big numbers to the related task of finding the period of a 
function. 

To see how this method works, let me illustrate it with a very simple example. 
Let us try to factor A^ = 15. Firstly we select a, such that gcd(a,A^) = 1, for in- 
stance a = 7 (with A^ = 15, a could be any number from the set {2, 4, 7, 8, 11, 13, 14}). 
The values of /7,i5(x) = 7^ mod 15 for x = 1, 2, 3, 4, 5, 6, 7 . . . are 1, 7, 4, 13, 1, 7, 4 . . . 
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respectively and clearly the period here is r = 4. a*"/^ gives 49 and by comput- 
ing the largest common divisors gcd(a''/^ it 1,A^), we find the two factors of 15: 
gcd(48, 15) = 3 and gcd(50, 15) = 5. The periods of fa,i5{x) for other values a in 
the set {2,4,7,8,11,13,14} are respectively {4,2,4,4,2,4,2} and in this particular 
example any choice of a except a = 14 leads to the correct result. For a = 14 we 
obtain r = 2, a''/^ = —1 mod 15 and the method fails. 

Every step of this method, except finding r, can be performed in polynomial 
time on a classical computer. Unfortunately, finding r is actually as time consuming 
as finding factors of N by the trial division method since it requires us to evaluate 
fa, Nix) an number of times exponential in L on average (where L is the size of the 
number we want to factor, L ~ log2(A^)); however, if we employ quantum compu- 
tation, r can be evaluated very efficiently. Shor describes a quantum algorithm 
which provides the period r of a function and which runs efficiently (i.e. in polyno- 
mial time) on a quantum computer. Let me now outline the main features of this 
algorithm. 

4.2 Using quantum parallelism for factorisation. 



As was pointed out in Sect. 3.3, quantum mechanics enables us to compute a function 
/ for different values by just applying the corresponding unitary operator C/j on a 
register previously set in a superposition of orthogonal states. Let us play this game 
for the function fa,N{x). Since the result cannot be larger than N, the output register, 
as defined in Sect. |3.3| , should have at least L qubits. For reasons that will become 
clear later, we will consider an input register of 2L bits. Both registers are initially 
loaded with the value and the total initial state is 

|0)|0). (11) 

We first set the input register into an equally weighted superposition of all possible 
states, from to 2^-^ — 1 (~ A^^), by applying the gate (defined in Sect. |3.2| ) on 
each qubit of the input register 

4 E l^)|0)- (12) 

x=0 

Applying the operator C//^ jy *o ^^^^ state, we obtain 

^ Y: \x)\fa,N{^)). (13) 

At this stage, all the possible values of fa,N are encoded in the state of the second 
register, but as was pointed out earlier, they are not all accessible at the same time. 
On the other hand, we are not interested in the values themselves but only in the 
periodicity of the function. Let me proceed now with an example to see how this 
periodicity can be efficiently retrieved. 
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outcome 


post-measurement state 


offset / 


1 


e(|0) + |4) + |8)+ ...)|1) 





4 


e(|3) + |7) + |ll) + ...)|4) 


3 


7 


e(|l) + |5) + |9)+ ...)|7) 


1 


13 


e(|2) + |6) + |10) + ...)|13) 


2 



(15) 



Table 1: Possible outcomes of the measurement performed on the second register of the 
state of the form ^ X]^=o~^ \x)\fa,N{x)), with a — A and N = 15. The post-measurement 
state and the offset I is also given for each possible outcome. 



Taking the same values as in the example of the previous section (A^ = 15 and 
a = 7), the state of the two registers after applying Uj^ is 

^ (|0)|1) + |1)|7) + |2)|4) + |3)|13) + |4)|1) + |5)|7) + |6)|4) + |7)|13) + ...), (14) 

At this point, we perform a measurement on the second register. We take each 
spin that forms the second register, pass it through our Stern-Gerlach measurement 
apparatus, record each outcome (0 or 1) and reconstruct the value of the register. In 



Eq. (14), the second register encodes only the four different values 1,4,7 or 13, and 
therefore any other measurement outcome is impossible, unless an experimental error 
has occured. The state of the second register after a measurement with outcome j 
is For the first register the situation is a bit more delicate and the post- 

measurement state of the first register will be an equally weighted superposition of 
the states in Eq. (p!^) for which the second register was in state \j) . Table |l| sums 
up the possible outcomes and the post-measurement states of the two registers. We 
forget now about the second register and focus only on the state of the first one. 

Let me dream for a while and imagine that quantum mechanics enables me to 
dictate the outcome of the measurement I perform on the second register. Imagine 
that I decide always to obtain, say, 4. In this case, I would be able to prepare at will 
the quantum computer in the state 

e(|3) + |7) + |ll) + ...)|4). (16) 

Returning to normal rules of quantum mechanics, I could now perform a measurement 
on the first register and obtain with equal probability any of the values 3, 7, 11, 15 . . . 
etc. Repeating the procedure from the beginning two more times, I could, with a 
very high probability obtain two other distinct values, which would enable me to find 
the period very easily: if in these three successive runs, I obtain for instance 19, 3 
and 11, the period is easily found to be gcd(19 — 11, 11 — 3) = 4. 

^With the Stern-Gerlach apparatus of the previous section, one can consider that the spins of the 
second register are "absorbed" by the detectors, and not available anymore after the measurement. 
For the factorisation algorithm presented here, this does not matter, as the second register will never 
be used again. However, knowing the outcome j, one could in principle easily reconstruct a quantum 
register in the state \j) by using, for instance, new spins. 
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Unfortunately, dictating the result of a measurement on the second register vio- 
lates the rules of quantum mechanics. Measurement outcomes are probabilistic, and 
in my example, each allowed outcome (1, 4, 7 or 13) is equiprobable. In this particular 
case, I could repeat the experiment a few times and retain only the runs for which the 
outcome is 4. However, the notion of efficiency is defined for asymptotic behaviour 
and not for particular cases. The real question is to know how this technique will 
perform for increasing A^'s. Quite clearly, it does not look promising; in a general 
case, when the period is r, there are r possible different outcomes. Since r also grows 
exponentially with L (the size of A^), the approach that consists of repeating the 
quantum computation over and over again until measuring in the second register at 
least three times the same value (in order then to perform a measurement on the first 
register and find the factor via a greatest common divisor calculation) is inefficient. 

An additional ingredient is needed to make the quantum algorithm polynomially 
efficient. Whatever the outcome of the measurement was, the first register is left in 
an equally weighted superposition of the form 

[22^- /rj 
j=0 

with r being the period of fa,N{x)-, I an offset value and ^ an appropriate normalisa- 
tion factor, (c/. Fig. ^a and Table H) . Regardless of the outcome of the measurement, 
the period r of the function fa^N is always refiected in the post-measurement state 
of the first register. But it is not readily accessible, as the offset / depends proba- 
bilistically on the outcome of the measurement. It is nevertheless possible to get rid 
of this irritating offset by using a quantum equivalent of the classical Fast Fourier 
Transform. This operation is known as the Discrete Fourier Transform (DFT). 

4.3 Discrete Fourier Transform 

Consider the unitary operation [/dft that acts on a quantum register and effects 

1 ^^^""^ X 
f^DFxk) = ^ E exp(27rj^)|2/), (18) 

y 

where 2L is the size of the register. The reason for calling this particular unitary 
transformation the discrete Fourier transform becomes obvious when we notice that 
in the transformation 

C/dft E Calx) = Ec?/|y) (19) 
x=0 y 

the coefficients Cy are the discrete Fourier transforms of c^^'s i.e. 

Cy = ^ E exp(27ri-2u)c^. (20) 
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Figure 3: The DFT on an input state of the form Cx\x) results m Cy\y). When the 
input state is periodic, as in (a), the effect of the DFT is to eliminate the eventual offset I and 
to invert the period r 2^ /r (b). In the figure L = 8, / = 3 and r = 4. In this particular 
case the period r divides exactly 2^, resulting thus in a "clean" transformation. Appendix]^ 
describes a more general case where r does not divide 2^, in this situation a slight spread 
occurs in the peaks of the Fourier transformed state (c/. Fig. ||). 

The strength of the DFT lies in the fact that when it acts on a periodic state 
of the form of Eq. (p^, it will wipe out the offset /, and transform it into a phase 
factor that does not affect the probabilistic outcome of a later measurement on the 
register. Appendix^ shows how the DFT on a 2L-bit register maps a state of period 
r into a state of period 2^^ /r. When r divides exactly 2^^, the resulting state has a 
nice closed form (c/. Fig. 

1 ""^ 

A more careful analysis is required when r does not divide 2^^ (see Appendix |A[) . 
Even in this more general case, the DFT retains the features illustrated in the partic- 
ular situation above: it "inverts" the periodicity of the input (r 2^^/r) and it has 
this translation invariance property which washes out the offset / (Fig. |^). Thus, 
by effecting C/dft on states of the form of Eq. (|l^) with different /, we always end 
up with a state for which neither the outcome of a measurement, nor its probability 
depend on / anymore. 

In the previous section, I showed how to construct a state of a register with a 
periodic superposition and an arbitrary offset. Combining this method with a DFT, 
it is now possible to retrieve efficiently the "inverted" period 2^^/r (c/. Fig. ^), from 
it the period r, and finally the factors of A^. 

4.4 Randomised algorithms 

Shor's algorithm is a randomised algorithm which runs successfully only with proba- 
bility 1 — e. We know when it is successful: it produces a candidate factor of N which 
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Figure 4: Probability of having at least one successful run after k runs of a randomised 
algorithm with probability of success e. The various curves illustrate different values of e, 
ranging from e = 0.9 (bottom curve), to e = 0.1 (top curve). 

can be checked by a trial division to see whether the result is indeed a factor or not. 
This check can be effected in polynomial time as it just involves a division. If e > 
is independent of the input A^, by repeating the computation k times, we get proba- 
bility 1 — e'^ of having at least one success. This can be made arbitrarily close to 1 by 
choosing a fixed k sufficiently large (see Fig. Furthermore, if a single computation 
is efficient, then repeating it k times will also be efficient since k is independent of N. 
Thus the success probability of any efficient randomised algorithm of this type may 
be amplified arbitrarily close to 1 while retaining its efficiency. Indeed we may even 
let the success probability 1 — e decrease with N as l/poly(log A^) and k increase 
as poly(logA'^) and still retain efficiency while amplifying the success probability as 
close to 1 as desired. Shor's quantum factoring algorithm is of this type; it is based 
on an efficient algorithm which provides a factor of the input N with a probability 
which decreases as l/poly(log A^). 

The randomness in the algorithm is due to certain mathematical results con- 
cerning the distribution of prime and coprime numbers. For instance, for some values 
of the initial number a, the algorithm will fail, even if a coprime with N {cf. Sect. ^j] ). 
Also if we abandon the assumption that r divides 2^^ (very unlikely and adopted 
in this section only for pedagogical purposes) the DFT of Cx will not produce sharp 
maxima as in Fig. ^. which may contribute to possible errors while reading y from 
the register. Subsequent estimation of r is calculated using additional mathematical 
approximation techniques (continued fraction expansion, see for instance p^]). 

If we try to factor larger and larger numbers A^ it is enough to repeat the compu- 
tation a number of times that grows polynomially with L to amplify the probability 
of success as close to 1 as we wish. This gives an efficient determination of r and an 
efficient method of factoring any A^. 
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Figure 5: An idealised picture of what a quantum network could look like. Spins enter a 
network of gates (on the left) and "fly" from one gate to another, where they interact with 
other qubits (two-bit gates) or are just individually manipulated (one-bit gates). Eventually, 
at the end of their journey, they are measured by a Stern-Gerlach apparatus. 

5 Towards Quantum Networks 

In the previous sections I have specified unitary operations by describing how they 
affect the state of the registers on which they act. I have not given any indications of 
how to implement them. These operations are usually quite complex. For instance 
the DFT on a register of L qubits is an operation that acts on a 2^ dimensional state; 
the mere task of writing down its matrix would take an exponential time in L. The 
method for implementing these unitary operations depends on the computational 
paradigm that is to be used. The only requirement being, of course, that neither the 
size of the implementation nor the time necessary to perform the operation should 
grow faster than a polynomial in the size of the problem. 

Deutsch [0] described quantum networks as a possible way to effect complex 
unitary operations. Quantum networks are composed of elementary logic gates con- 
nected together by wires. The only purpose of the wires is to transfer a quantum 
state from the output of a gate to the input of another one (and eventually to a 
measurement device). Of course, just as it is the case for quantum gates, the nature 
of these wires depends on the technological realisations of the qubit. For instance, 
wires could hypothetically be the trajectories of flying spins: two spins may have 
their trajectory inflected, enter a zone in which they interact together (a two-bit 
gate), fly apart again, enter another zone in which they interact with other qubits. 
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etc. (see Fig. ^). The fundamental idea underlying quantum networks is to decom- 
pose complex unitary operations acting on several qubits into a sequence of simple 
one- and two-bit gates. Other paradigms to implement quantum computation in- 
volve for instance quantum cellular automata, but so far they have not proved to be 
tools as valuable as the idea of quantum networks. I will not discuss them here, and 



the interested reader can refer to the literature on the subject [18|. 

Deutsch showed that there exists a universal three-bit quantum gate from which 
any quantum computation, i.e. any unitary operation on any finite number of qubits, 
can be built by a suitable network consisting only of copies of this gate. This result 



has been improved upon since then |1S] and we now know that almost any non-trivial 
two-bit gate is universal |2^. Much attention has also been devoted to the efficient 
construction of more complex quantum gates [^, and to specific networks, such as 
the one that effects the modular exponentiation required in the first part of the fac- 



torisation algorithm |22|. In the following, I will illustrate how the quantum discrete 
Fourier transform discussed above can be implemented as a network consisting of 
only one- and two-bit gates. 



Consider again the one-bit gate {7a of Sect. 3.2 performing the unitary trans- 
formation 



C/a|0) = ^(|0) + |1)) 

f^A|i) = 4,(|o)-|i)). 



— A — 



(22) 



The diagram on the right provides a schematic representation of the gate acting on 
a qubit q. Consider also the two-bit f/B((^) gate acting on qubits qi and q2 and 
performing the operation 



C^BwlOl) 

f^BwIll) 



1 00) 
|01) 
1 10) 

6**^111). 



qi 



q2 



qi — 6 — 



q2 



(23) 



The gate C7b{0) performs a conditional phase shift, i.e. a multiplication by a phase 
factor e**^ only if the two qubits are both in their |1) state. The three other basis 
states are unaffected. 

The DFT on a register of any size can be implemented using only these two 
gates. For example, consider a four-bit register with qubits uq, . . . a^. The network 
in Fig. ^ follows step by step the classical algorithm of a DFT ||^], and performs the 
operation 



J2 exp(27rmc/2^)|6), 



(24) 



c=0 



where \b) represents the value c read reversing the order of the bits i.e. 



i=0 



with Cfc given by c 



k=0 



(25) 
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Figure 6: Network effecting a DFT on a four-bit register, tlie phases tliat appear in tlie 
operations Uqi^^.^^ are related to the "distance" of the qubits upon which Uq acts, namely 
(t>3k = Tr/2^~'^. The network should be read from the left to the right: first the gate A is 
effected on the qubit as, then i?(032) on 02 and 03, and so on. 

A trivial extension of the network following the same sequence pattern of gates on L 
qubits gives the general DFT. In this case the transformation requires L operations [/a 
and L(L — 1)/2 operations C^b(0)) iii total L(L + l)/2 elementary operations. Thus the 
quantum DFT can be performed efficiently. Moreover, it can even be simplified p3|| : 
in a general network for DFT, the operations C^b(</>) that involve distant qubits aj and 
Ofc, i.e. qubits for which |j — A:| is large (and therefore (j) = 7r/2'^~-' approaches zero), 
are close to unity. Therefore when performing the quantum DFT on registers of size 
L, one can neglect operations C^b(0) on distant qubits (more precisely on qubits aj 
and afc for which |j — fc] > log2(-^^) + 2) and still retrieve the periodicity of coefficients 
Cx with high probability |24| . 

The network of gates for the quantum DFT enables the efficient implementation 
of the second part of Shor's algorithm. The first part requires an efficient quantum 
evaluation of the function fa,N{x) = mod A'". The computation of /a,Ar(x) is "easy" 
i.e. the number of elementary operations does not grow faster than a polynomial in 
the size of the input. The respective network is constructed by combining networks 



which perform additions and multiplications in a reversible and unitary way |22]. 

6 Practicalities 

It remains an open question which technology will be employed to build the first 
quantum computers. The conditional quantum dynamics which I alluded to when 
introducing the operation can be implemented in many different ways, ranging 
from Ramsey atomic interferometry ||25|, interacting electrons in quantum dots p6| 



to ions in ion traps |27] and atoms coupled to high finesse optical resonators |28|. 



In the following I will present a possible scheme to implement the simple two-bit 
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quantum gate "controlled-NOT" (CNOT) [|2^. Its effect on the basis states is 

(26) 



C/cnot|00) = |00) 
C/cnot|01) = |01) 
C/cnot|10) = 111) 

c^cnotIh) = |io). 



The gate effects a logical NOT on the second qubit (target bit), if and only if the 
first qubit (control bit) is in state 1. Two interacting magnetic dipoles (for in- 
stance, the spins we have considered in the previous sections), sufficiently close to 
each other, can be used to implement this operation. Under carefully chosen condi- 
tions [29U (complement Bxi) the total hamiltonian of this system can be written 



H = Hi + H2 + -ffcoupi (27) 

with 

Hi = huJiSi z 

H2 = nL02S2,z (28) 

-ffcOUpl = 4:fi^Sl^zS2,Z, 

where Si^z and S2,z are the z components of the spin operators for spin 1 and 2 
respectively, so that Si^z\0,-) = — l/2?i|0,-) and Si^^jl,-) = -|-l/2?i|l, •) (similar rela- 
tions hold for 5*2,2) • = liBi depends on the gyromagnetic ratio 7^ of spin i and 
of the magnetic field Bi (along the z axis) experienced by spin i. We will suppose 
that either the magnetic fields or the gyromagnetic ratios are different for each qubit 
so that uji UJ2- Finally is a coupling factor that depends, among others, on the 
distance between the two spins and their relative orientation. The form of the above 
hamiltonian is valid under the assumption that the coupling $7 is small enough to be 
regarded as a perturbation. 

Without coupling ($7 = 0, for instance when both spins are sufficiently far 
apart), each spin can be selectively flipped by a resonant electromagnetic field of 
appropriate duration and intensity: shining a pulse at frequency lvi on both spins 
will affect only spin 1, switching it from state |0, •) (spin down) to |1,-) (spin up), 
and vice versa. Similarly, a pulse of frequency u)2 will only affect spin 2. 

When both spins are close enough to interact ($7 > 0), the situation is more 
complicated and one needs to find the eigenstates of the hamiltonian H. Fortu- 
nately, H remains diagonal in the basis {|00), |01), |10), |11)} and the energies of the 
eigenstates are shifted by ±.TiQ.^ depending on the state (c/. Fig. 0a). By carefully 
selecting a resonant frequency, it is now possible to induce selective switching of one 
spin depending on the state of the other. Fig. |^ illustrates how a pulse of frequency 
L02 + ^ induces a switching betweeen states |10) and |11) only, leaving states |00) and 
|01) unaffected, implementing thus the CNOT operation. 

Obviously the above description is rather simplistic and does not include any 
unwelcome effects; however, the form of the hamiltonian H and of the coupling 
-f^coupl appears in many radically different contexts (excitons or electrons in quantum 



18 



a) 



Energy 



111) 

lio) 

lOl) 

loo) 





















fi = 



b) 



CO9 + £2 



W2-Q 



Q>0 



without coupling Q = 



a>2 coj 
with coupling £2 > 



CO2 - £2 CO2 + £2 CDj - £2 ft)j + £2 



Figure 7: (a) Eigenenergies of the basis state of two spins without and with coupling, (b) 
Resonant frequencies of the two spins without and with coupling. When there is no coupling, 
the two frequencies are made different for instance, by putting each spin in a magnetic 
field of slightly different intensity. With coupling, each resonant frequency is split into two 
frequencies; if the splitting is sufficient, it is possible to select specific transitions. The dotted 
transition corresponds to the CNOT operation, in which only states |10) and |11) are affected. 



dots 1 26 1, interacting Cooper pairs in superconducting islands ||30[]), and is general 
enough to make this setup worth mentioning. 

6.1 Coupling with the environment: the decoherence problem. 

In order to perform a successful quantum computation, one has to maintain a co- 
herent unitary evolution until the completion of the computation. Technically it is 
not possible to ensure that a quantum register is completely isolated from the en- 
vironment. This remnant coupling induces decay and decoherence processes, both 
of which drastically reduce the performance of a quantum computer, even when the 
coupling is very weak. Decay is a process by which a quantum system dissipates 
energy in the environment. For a spin, it is for instance a transition from |1) — > |0), 
accompanied by the emission of a photon of appropriate wavelength. Decoherence is 
a subtler phenomenon that involves no exchange of energy with the environment |^T[ . 
Its effect is to scramble the relative phase of the various parts of a quantum super- 
position. Decoherence occurs in most cases on a much faster timescale than decay, 
and therefore, I will focus on this kind of processes. 

Decoherence can be more easily understood if we formalise it in the language of 
density operators, rather than in the more familiar Dirac notation. When a quantum 
system is in a pure state, it can be equivalently described by a ket \^) or by a density 
operator p = The characteristic effect of decoherence is to destroy the off- 



diagonal elements of the density operator; the system evolves into a "mixed state" ^1 
for which the ket notation is no longer suitable. To see how this can affect quantum 
computers, let me first consider the very simple situation in which a qubit initially 
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in the state |0) undergoes successively and without decoherence two operations C/a 
(as introduced in Sect. |3.2|): 



= |0) ^ i=(|0) + |1)) ^ |0) = \^|;f,n). (29) 

In a density matrix formulation, this sequence can be written (in the basis B = 
{|0),|1)}) 

P-=(j o)^^(} l)=Pf^n. (30) 

A measurement of the final state would yield with probability one. Let me sup- 
pose now that decoherence occurs in between the two operations ?7a and wipes out 
completely the off-diagonal elements (this is of course an oversimplification, and one 
should rather picture decoherence as a continuous process that progressively elimi- 
nates the off-diagonal elements). In this case, the sequence of operations reads 

Pfin, (31) 

and Pfin no longer represents a qubit in the state |0), but rather a statistical mix- 
ture of the states |0) and |1). Performing a measurement on the qubit would now 
return either or 1 with equal probability; thus decoherence affects the probability 
distribution of the possible outcomes of a computation. 

The onset of decoherence is actually more complex, and to a large extent de- 
pends on the physical situation. In a typical case, for a quantum computer of S qubits 
which interacts with the environment in a thermal equilibrium, the off-diagonal ele- 
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ments of the density matrix decay exponentially fast at a rate jS |32] 

p^jit) ^ p,,{0)e-^^' (32) 

where 7 = l/r^ec is a constant that describes the coupling of a single qubit with the 
environment: the stronger the coupling, the higher 7 and the smaller the decoherence 
time Tdec- 

For an efficient computation, we have seen that both S and the total compu- 
tation time ttot required to complete the algorithm should not grow faster than a 
polynomial, so that one can write 

5 ~ ttot ~ L^telem, (33) 

where teiem is the characteristic time needed to perform a single elementary com- 
putational step of the algorithm. From this, it is then possible to show that the 
probability V of measuring the right answer at the end of the quantum computation 
decreases exponentially with S and ttot, and hence with L""*"^: 
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Figure 8: Numerical simulations that mimic the effect of decoherence on the result of a 
DFT. The initial state (not shown) is a periodic state with r = 4 on a register of varying 
size (see Fig. ^ for the case L = 8). Without decoherence, the resulting state should have 
only 4 components (Fig. ^). The coupling with the environment induces errors (a-d), and 
reduces the probability of measuring the right answer. For a fixed 7 and increasing L, the 
probability of getting the right peak decreases in a characteristic exponential way (central 
plot). The four plots a), b), c) and d) show the diagonal elements of the density matrix 
of the output. The intensity of the four principal peaks decreases as L increases, and the 
probability of measuring a correct result decreases in an exponential fashion (central plot). 
Note that the scales on the vertical axis are adjusted for graphs c) and d). 



This can be illustrated in a very simple situation. Consider performing a DFT on 
a register of L qubits that encodes a superposition of period r = 4. Without deco- 
herence, we expect, according to Eq. (21), to measure with equal probability either 
|0), |2'^~^), |2 • 2'^"^) or \3-2^~'^). The measurement outcome will be affected by 
decoherence and Fig. |8| illustrates how the diagonal elements of the density matrix of 
the state {i.e. the probability outcomes of a measurement) behave. The calculation 
is repeated for different L with the same amount of decoherence (given by a fixed 7). 

To obtain at least one successful computation, one needs to run the computer 
on average 1/V = 6'''*^''=™^°^" times. Thus the problem becomes exponentially dif- 
ficult as soon as some decoherence is present. From the complexity point of view, 
the magnitude of 7 has no relevance: as soon as there is some coupling with the 
environment and 7 is non-zero, any computation becomes inefficient. It is however 
quite clear that for small 7 (long decoherence time r^ec = I/t), it is possible to effect 
some quantum operations before decoherence takes its toll. Technological progress 
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Technology 


telem 




M 


Mossbauer nucleus 




10-iU 


10^ 


Electrons GaAs* 




10-10 


103 


Electrons Au 


10-14 


10-8 


10^ 


Trapped ions* 


10-14 


10-1 


10^3 


Optical cavities 


10-14 


10-5 


109 


Electron spin 
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10-3 


10^ 


Electron quantum dot* 


10^6 


10-3 


103 


Nuclear spin 


10-3 


10^ 


10^ 


Superconductor islands* 


10-9 


10-3 


10^ 



Table 2: Figure of merit M for different technologies. The table gives respectively the char- 
acteristic decoherence time Tdea the (minimum) time to complete an elementary operation 
teiem (defined as teiem — h/ l^E, where is the energy splitting between the two states |0) 
and |1) of the qubit) and the number of operations M. that could in principle be effected on 
a qubit before decoherence takes over. Asterisks indicate that the numbers given are to a 
large extent speculative. The values are taken from p5|. 



in isolating quantum computers from the environment and reducing decoherence will 
increase the largest number that can be factored by such computers. The require- 
ment for a coherent computation to be completed within the decoherence time can 
be written as 

ttot < Tdec/S = Tdec/L°'- (35) 

The right-hand side is the characteristic decoherence time of L° qubits. From the 
above it follows that 



L<(^] . (36) 



With the best implementation of the factorisation algorithm a = 1 and /3 = 3 |22|, 
hence the size of the largest number that can be factored is bounded by L < 
{'Tdec/'teiemY^^ ■ This is an optimistic estimate in which only decoherence is taken 
into account. A careful analysis shows that this bound is dramatically reduced when 
decay phenomena (such as spontaneous emission) are also included p^ . 

The ratio M. = T^ec/teiem is a useful figure of merit for comparing different 
technologies. It tells us, very approximatively, how many elementary operations can 
in principle be performed on a single qubit before it decoheres. Table ^ summarises 
these values for some of the technologies that could be used to implement basic quan- 
tum computations. Some of these have already been used to implement fundamental 
two-bit gates (such as the CNOT operation) |Q. It is however still too early to say 
if the present experimental setups can be scaled up easily and if these technologies 
can be used to implement computations on many qubits. 
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7 Conclusion 



As was the case in quantum cryptography a few years ago, the field of quantum 
computation is rapidly growing and has already begun to move from a theoretical to 
an experimental phase. Whether a full quantum computer will ever be built remains 
an open question. The technological challenge is immense and many problems must 
be overcome first. A quantum computation requires coherent quantum evolution on a 
macroscopic scale. Not only that, it also needs to be actively controlled. At present, 
we know of very few macroscopic quantum states that involve many particles, or 
subsystems {e.g. electrons in a superconductor, ^He atoms in a superfluid, or the 
recently observed Bose-Einstein condensates of Rb, Na or Li atoms); in each case, the 
state is globally quantum and the particles are not controlled on an individual basis. 
We may argue that each of these quantum systems performs a quantum computation 
in its own, but it may not be a computation we are interested in and moreover, we 
have no real control over it. 

The fragility of these macroscopic quantum systems tells us much about the 
effect of decoherence. As explained in the last section, decoherence ultimately cuts 
out any "exponential" speed-up that we may gain from using quantum computers 
and quantum algorithms, simply because to overcome it, the best technique so far 
is to run the same computation over and over again an exponential number of times 
(until we get a correct answer) . Fortunately, this is not the end of the story. Classical 
computers suffer from similar problems, and yet, one tends to agree that classical 
computers are (in general!) reliable. This is because in the classical situation we 
have efficient ways to fight errors. For existing computers, error-correcting codes 
have been designed that are exponentially effective and that can handle and control 
possible errors. Unfortunately, these techniques cannot be directly translated to tame 
decoherence in quantum computers. They are based on redundancy {i.e. several bits 
encoding one bit of information), and more importantly, on a periodic monitoring of 
the state of the computer. Periodic monitoring means, grosso modo, measuring the 
state of the computer, diagnosing an eventual error (and eventually correcting it); but 
as we have seen, the mere act of performing a measurement on a quantum computer 
will alter its state. This obliges us to rethink the problem of error-correction in 
quantum terms. First promising steps in this direction have already been made p6|| . 

From a fundamental point of view, it is irrelevant whether or not a "quantum 
personal computer" will materialise in the next decade. More important is the insight 
we will gain in their study. Quantum computation already tells us a lot about 
the deep connections between physics, computation and more generally information 
theory. No doubt there is much more to learn. 
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A Discrete Fourier Transform 

Let us consider the simplified situation where the period r divides 2^ exactly. A 



register in a periodic state is given for instance by Eq. (17), which we rewrite 

G 2^-1 



j=0 x=0 



(37) 



with G = 2^ jr. Performing a D FT on 



"out/ 



gives 



(38) 



where the amplitude of Cy is 

2^ 



2/ = ^ E ^ — 



j=0 



^exp l2m^ 



G 



(39) 



The term in the square bracket on the r.h.s. is zero unless y is a multiple of 2^/r, 
J exp(27ri/y/2^)/-yr if y is a multiple of 2^/r: y = k2^ /r 







otherwise 



(40) 



Therefore, in the particular case when r divides 2^ exactly, \(pout) can be written 

r-l 



1 



\(j)out) = ^ E exp(27ri/A;/r) \k2^ /r 



(41) 



k=0 



A more elaborate analysis is actually required when r is not a multiple of 2^. In 
this case, after effecting the DFT, the coefficients Cy are peaked on the closest integers 
to the multiples of 2^/r {cf. Fig. |9|). These peaks have a spread that decreases 
exponentially with L (hence the reason to choose in the factorisation algorithm the 



size of the first register to be 2L). A careful analysis of this case can be found in |16|. 
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Figure 9: Same as Fig. H, but in ttiis case r = 5 does not divide exactly 2^ = 256. Tiiis 
results in a broadening of the peaks of the output state ^yCy\y). Nevertheless, it can be 
shown that, when effecting a measurement on this state, the closest integers from multiples 
of are the most likely outcomes. This is illustrated in the inset: 102 (local maximum), is 
the closest integer of 2 x 2^/5 = 102.4. (Normally one plots |cj,p, i.e., the actual probabilities, 
but here |c(y)| is plotted to emphasise the spread of the peaks.) 
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